Thông tư 44/2011/TT-NHNN

CIRCULAR

PROVIDING FOR THE INTERNAL CONTROL SYSTEM AND INTERNAL AUDIT OF CREDIT INSTITUTIONS, FOREIGN BANK'S BRANCHES

- Pursuant to the Law on the State Bank of Vietnam No. 46/2010/QH12 dated 16 June 2010;

- Pursuant to the Law on Credit Institutions No. 47/2010/QH12 dated 16 June 2010;

- Pursuant to the Decree No. 96/2008/ND-CP dated 26 August 2008 of the Government providing for the functions, duties, authorities and organizational structure of the State Bank of Vietnam;

The State Bank of Vietnam hereby provides for the internal control, internal audit of credit institutions, foreign bank's branches as follows:

Chapter I

GENERAL PROVISIONS

Article 1. Governing scope

This Circular provides for internal control system and internal audit of credit institutions, foreign bank's branches.

Article 2. Subjects of application

1. Credit institutions;

2. Foreign bank's branches;

3. Organizations, individuals related to the internal control system and internal audit of credit institutions, foreign bank's branches.

Article 3. Interpretation

1. Internal control system shall mean a set of mechanisms, policies, procedures, internal regulations, organizational structure of credit institutions, foreign bank's branches, which are set up in accordance with provisions of this Circular and are implemented for the purpose of prevention, timely detection and dealing with risk and meeting the proposed requirement.

2. Internal audit shall mean the checking, independent and objective assessment of the internal control system; assessment of the conformity and compliance with regulations, internal policies, procedures, processes which are established within the credit institutions, foreign bank's branches; giving recommendations for improving the efficiency of the systems, processes, regulations, making contribution to ensuring the credit institutions' activity to be safe, efficient and complied with laws.

3. Internal auditors shall be persons who perform the internal audit work of the credit institutions, foreign bank's branches in accordance with provisions of this Circular.

4. State Bank's branch shall be State Bank's branch in the province, city where the head office of the credit institution, foreign bank's branch is located.

Chapter II

INTERNAL CONTROL SYSTEM

Article 4. Requirements and principles of operation of the internal control system

1. Any risk that is potentially harmful to the efficiency and operation objectives of the credit institution, foreign bank's branch shall be identified, measured, assessed on a regular and ongoing basis so as to timely detect, prevent and prepare appropriate measure for risk management. Upon any change in business target, product, service and new business line, the credit institution, foreign bank's branch shall check, idenfity any related risk in order to set up, amend, supplement their mechanisms, processes, regulations on internal control accordingly.

2. Operation of the internal control system shall be an integral part of daily activities of the a credit institution, foreign bank's branch. Internal control shall be designed, installed and implemented immediately in all operational processes at all units, divisions of the credit institution, foreign bank's branch in various forms, such as:

a) Clear and explicit power delegation; ensuring to clearly separate the duties and powers of individuals, divisions in the credit institution, foreign bank's branch;

b) Regulation on the specific risk limit for each individual, division in the performance of transactions;

c) Process on the appraisal and approval of transactions; a process should be ensured to have the involvement of at least 02 officers, one performs and the other controls the transaction. Any individual shall be prohibited from performing and deciding an operational process, a specific transaction alone, except for transactions within the limit approved by the credit institution, foreign bank's branch in accordance with provisions of applicable laws.

3. The power delegation shall be established and implemented on a reasonable, detailed and clear basis so as to avoid conflict of interests; ensuring the principle that one officer shall not concurrently assume different positions, duties with the contradictory or overlapped purpose and interests; ensuring that any officer in the credit institution, foreign bank's branch shall not be facilitated to control activities, suppress information for personal purpose or conceal acts of violation of laws and internal regulations of the credit institution, foreign bank's branch.

4. Ensuring the implementation of accounting regime in line with applicable provisions and there should be an internal information system on finance, operation, compliance performance at the credit institution, foreign bank's branch and on the outside economic, market situation that is sensible, reliable and timely for an efficient administration and management task.

5. The information system, information technology of the credit institution, foreign bank's branch shall be monitored and protected in an appropriate and safe manner. There should be an independent back-up management mechanism in order to timely cope with unexpected situation, including natural disaster, fire, explosion, hacker… so as to ensure the compliance with provisions on safety and security of the bank's information technology system, ensure the business of the credit institution, foreign bank's branch to be regular and uninterrupted.

6. Ensuring that every staff of the credit institution, foreign bank's branch shall be aware of the importance of internal control activity; role of each individual in the internal control process relating to their function, duty, and fully and efficiently implement relevant regulations, processes of internal control.

7. Manager of divisions, operational units and related individuals shall regularly review and assess the effectiveness and efficiency of the internal control system; any shortcoming of the system shall be timely reported to the management in charge; major shortcomings that may be harmful or be risky shall be immediately reported to the General Director (Director), Board of Directors, Board of Members, Controllers' Committee.

8. Any individual, division of any level of the credit institution, foreign bank's branch shall, regularly and constantly, inspect and self inspect the implementation of related internal regulations, processes and be responsible for the result of their operational performance to the credit institution, foreign bank's branch and to the law.

9. Head of units, divisions of the credit institution, foreign bank's branch shall be responsible

for reporting the result of their assessment on the internal control of their unit; recommending solution for shortcomings, inadequacies (if any) to the management in charge, on a periodical or unexpected basis, upon request by the management in charge.

Article 5. Establishment and maintenance of operation of the internal control system

1. The credit institution, foreign bank's branch shall establish an internal control system to assist the General Director (Director) to manage, smoothly, safely and in compliance with laws, every operational activity of the credit institution, foreign bank's branch.

2. The credit institution, foreign bank's branch shall closely monitor the implementation of laws and internal regulations; directly supervise operational activities in all areas at the head office, transaction department, branches, representative offices, non-productive units and subsidiaries of the credit institution, foreign bank's branch. The credit institution shall regularly review the implementation of laws and internal regulations by their associated companies in accordance with provisions of applicable laws.

3. The credit institution, foreign bank's branch shall, upon finding out any mistake, difficulty in the course of business, timely define and take corrective actions.

Article 6. Self inspection and assessment of the internal control system

1. On an annual basis, the General Director (Director) of the credit institution, foreign bank's branch shall proceed to review, inspect and assess, by himself, the internal control system of the credit institution, foreign bank's branch at every unit, division of management, business, operation and each operational activity.

2. The self review and assessment as above said shall include the review and asssessment on the adequacy, effectiveness and efficiency of the internal control system based on the identification and evaluation of risk so as to determine the weaknesses of the internal control system and indicate necessary changes to the internal control system for handling and overcoming such problems.

3. General Director (Director) of the credit institution, foreign bank's branch shall make report on the self review, assessment of the internal control system as mentioned above. This report should be updated with risks and summarise major activities of the credit institution, foreign bank's branch, all the relevant risks and review, control activities at the level of entire credit institution, foreign bank's branch, at the level of each unit, division and each operation.

4. The abovesaid report of self review and assessment on the internal control system shall be submitted to the Board of Directors, Board of Members, Controllers' Committee and sent to the State Bank (Banking Inspection and Supervision Department; State Bank's branch) within a period of 30 days since the ending of the fiscal year; report of a People's credit fund alone shall be submitted to the State Bank's branch.

Article 7. Independent assessment of the internal control system

1. Operation of the internal control system of a credit institution, foreign bank's branch shall be subject to independent assessment in accordance with provisions in Paragraph 3 Article 40 of the Law on Credit Institutions.

2. Contents of an independent assessment by the internal audit as to the internal control system shall include review, assessment and report on the adequacy, efficiency of the internal control system with regard to the audited operation, area through the risk identification and measurement, defining shortcomings of the internal control system and defining necessary changes to the internal control system for settlement.

3. On an annual basis, internal audit of the credit institution, foreign bank’s branch shall be required to carry out the review and assessment on the conformability, efficiency of the internal control system. This independent assessment report shall be an integral part of the annual internal audit report.

Internal audit result shall be timely reported to the Board of Directors, Board of Members, Controllers’ Committee and submitted to the General Director (Director) of the credit institution, foreign bank’s branch and copied to the State Bank (Banking Inspection and Supervision Department, State Bank’s branch); report of the people’s credit fund alone shall be submitted to the State Bank’s branch.

4. The independent assessment by external audit on the internal control system shall be performed in conformity with provisions of the State Bank on independent audit applicable to credit institutions.

Chapter III

INTERNAL AUDIT

Section 1: GENERAL PROVISIONS

Article 8. Objectives and fundamental functions of the internal audit

1. To operate for the safety, efficiency of the credit institution, foreign bank's branch.

2. To check, give independent assessment on the sufficiency, conformity, effectiveness and efficiency of the internal control system for improving and perfecting the internal control system. For the purpose of this objective, the unit performing internal audit is encouranged to consult and participate in the establishment, improvement and completion of the internal control system, providing that the principle of independence and objectiveness as prescribed in this Circular shall not be violated.

3. To identify and prevent any illegal act; improving the effectiveness of the management, administration and operation of the credit institution, foreign bank's branch.

4. To ensure the security of information and continuous operation of the operational information system.

5. To give recommendation in order to improve the efficiency of the systems, processes, regulations, helping to ensure the operation of the credit institution, foreign bank's branch is safe, effective and conformable to the laws.

Article 9. Fundamental principles of internal audit

1. Independence: the organization and operation of internal audit shall be independent from other units, management, operational divisions of the credit institution, foreign bank's branch; the internal auditor shall not be allowed to assume works that are subjects of internal audit; the credit institution is required to ensure that the internal audit shall not be hindered by any intervention in performing the reporting and assessment.

2. Objectiveness: the internal audit division, internal auditor shall be required to ensure the objectiveness, truthfulness, justice and unbias.

3. Professionality: internal auditor must be a person who has essential knowledge, qualification and skill in internal audit, does not concurrently assume other specialized positions or works of the credit institution, foreign bank's branch; the internal auditor should have adequate knowledge to identify signals of fraudulence, knowledge about risk in banking activity and measures of controlling information technology to perform the assigned works. The internal audit division shall have at least 01 auditor who is qualified and skilled to control key information technology and high-tech audits.

Article 10. Requirements for ensuring the fundamental principles of internal audit

1. An internal auditor must be equitable, unbiased and try to avoid any conflict of interests. An internal auditor shall be entitled and obliged to report any problem that is potential to affect his independence and objectiveness relating to the internal audit that is delegated by the head of the internal audit mechanism (hereinafter called the Chief of Internal Audit).

2. The Chief of Internal Audit shall thoroughly grasp, monitor and ensure the independence and objectiveness of the internal auditors. In case where the independence or objectiveness is or may be affected, the Chief of Internal Audit shall notify the Controllers’ Committee.

3. In the internal audit activity, the credit institution, foreign bank's branch shall implement following regulations so as to ensure the independence and objectiveness, to avoid the unfairness, bias and conflict of interests:

a) An internal auditor shall not audit any regulation, internal policy, procedure or process of which the auditor takes the main responsibility in the establishment;

b) The internal auditor has no conflict of interest with the audited unit, division; the internal auditor shall not audit the unit, division of which the manager is a related person of the internal auditor;

c) The internal auditor shall not participate in the audit of the operation, of which the auditor is in charge, or division, which is managed by the auditor in a period of 03 years since the decision that the auditor stops performing the operation or managing the division.

d) To have measures of checking to ensure the independence and objectiveness of the internal audit task immediately during the audit process at the audited unit, division and in the period of preparation, delivery of audit report;

e) Audit recognitions in the internal audit report shall be carefully analysed and based on the collected data, information for the purpose of objectiveness;

g) Result of the function performance of the Chief of Internal Audit shall be checked, reviewed and assessed by the Controllers’ Committee on a regular basis.

h. The internal audit shall be required to preserve the independence and objectiveness in auditing operations, procedures or divisions to which the internal audit provided consultancy previously. In this case, the internal audit shall be entitled and obliged to fully analyse and assess procedures, processes and internal control system. Responsibility for the operations, processes or divisions to which the internal audit provided consultancy previously shall still belong to the leader of the audited unit, division.

4. Credit institutions, foreign bank's branches shall be required to comply with provisions in Paragraph 3 Article 9 and Article 13 of this Circular in order to ensure the speciality of internal audit.

Article 11. Ensuring the quality of the internal audit activity

1. The credit institution, foreign bank's branch shall have a process of following up and assessing the quality of the internal audit activity. The credit institution, foreign bank's branch shall be required to carry out internal assessment to the activity of the internal audit so as to ensure the quality of the internal audit.

Internal assessment to the internal audit activity means the self-assessment of the internal audit activity at the end of the audit and the annual self-assessment to the overall internal audit activity that is performed by the very internal audit division so as to ensure the quality of the internal audit activity.

2. The annual internal audit assessment result shall be reported to the Controllers' Committee and recognized in the annual internal audit report.

Section 2: ORGANIZATION AND OPERATION OF INTERNAL AUDIT

Article 12. Organization of the internal audit

1. The internal audit of a credit institution (except for the case as stipulated in Paragraph 2 of this Article) shall be organized in a uniform and vertical system, or organized as an internal audit division at the head office, depending on the scale, level, scope and operation features of the credit institution. Internal audit shall be under the direct management of and be subject to the direction of the Controllers' Committee.

2. For a People’s credit fund that only has 01 specialized controller but not a Controllers’ Committee, the internal audit of the People’s credit fund shall be performed by the specialized controller.

3. Basing on the scale, level and operation feature of the credit institution and upon the proposal of the Controllers' Committee, the Board of Directors, Board of Members shall decide the organization of the internal audit apparatus, the regime on salary, bonus, responsibility allowances applicable to internal auditors, Chief and Deputy Chief of the internal audit.

4. The internal audit division of a foreign bank's branch may be assumed by the internal audit division of the head office or regional head office, providing that it is conformable to provisions in Paragraph 1 Article 89 of the Law on Credit institutions.

Article 13. Standards for internal auditors, Chief and Deputy Chief of internal audit

1. An internal auditor shall be required to fully satisfy the following standards:

a) To have honest character, consciousness of compliance with applicable laws;

b) To have general knowledge, understanding about the laws, business administration and banking operations;

c) To have bachelor degree or higher in appropriate speciality, to have adequate knowledge and regularly be updated with areas they are assigned to perform internal audit; for a people's credit fund, the internal auditor shall be required to have qualification of college level in appropriate speciality;

d) To be capable of collecting, analyzing, assessing and synthesizing information;

dd) To have knowledge and skills of the internal audit;

e) To have experience of working in financial, banking area or working in audit for at least 03 years; the internal auditor of a people's credit fund have have experience of working in financial, banking area or working in audit for at least 01 year;

g) To comply with rules on professional virtue as provided for in Article 22 of this Circular;

h) Other standards as provided for by the credit institution.

2. For an information technology auditor, in addition to standards as prescribed in Paragraph 1 of this Article, he must have experience of working in information technology for at least 03 years.

3. Besides standards as stated in points a, b, d, dd, g and h Paragraph 1 of this Article, the Chief and Deputy Chief of the internal audit shall, at least, have bachelor degree in banking, finance, accounting, auditing and have experience of working in financial, banking area for at least 05 years. For a people's credit fund, the Chief of internal audit shall, at least, have qualification of college level in banking, finance, accounting, auditing and have experience of working in financial, banking area for at least 02 years.

Article 14. Appointment, dismissal of titles of internal audit

1. Chief of the internal audit shall be appointed, dismissed by the Board of Directors, Board of Members of the credit institution upon request of the Head of the Controllers' Committee; or appointed, dismissed by a Competent person of the parent bank for a foreign bank’s branch.

2. The Deputy Chief of Internal Audit and other titles of the internal audit shall be appointed, dismissed by the Board of Directors, Board of Members upon request of the Chief of Controllers’ Committee on the basis of the recommendation of the Chief of Internal Audit; or appointed, dismissed by the General Director (Director) of the foreign bank’s branch.

Article 15. Scope of internal audit

Scope of internal audit activity shall include:

1. Auditing all activities, professional processes and units, departments of the credit institution, foreign bank's branch;

2. Unexpeced auditing and providing advices upon the request of the Board of Directors, Board of Members, Controllers' Committee, General Director (Director).

Article 16. Contents of the internal audit

1. Main contents of the internal audit activity shall be to assess the adequacy, effectiveness and efficiency of the internal control system.

2. Depending on the scale, level of risks as well as specific requirements of each credit institution, the internal auditors may check, assess the following contents:

a. The level of adequacy, the effectiveness and efficiency of the internal control system.

b. The application, the effectiveness and efficiency of the implementation of risk management policies and processes of the credit institution, including the processes which are implemented via the information technology system.

c. The adequacy, accuracy and security of the management information system and the financial information system, including the electronic information system and electronic banking service.

d. The adequacy, timeliness, truthfulness, reasonableness and accuracy of the accounting system and financial statements.

dd. The compliance with provisions of laws, regulations on prudential ratios in activities of the credit institution, foreign bank’s branch, internal provisions, professional operation processes, rules, professional virtue rules.

e. Internal regimes, policies, processes, regualtions, organizational structure of the credit institution, foreign bank’s branch.

g. Measures for ensuring the assets’ security; giving recommendations in order to improve the efficiency of systems, processes, regulations, helping to ensure the operation of the credit institution, foreign bank’s branch is safe, efficient and conformable with laws;

h. To assess the economicality and efficiency of the activities, the economicality and efficiency of the use of resources, through which the appropriateness level between the achieved results and proposed objectives shall be determined.

i. To perform other contents relating to the functions, duties of the internal auditor upon request of the Controllers' Committee, the Board of Directors, Board of Members;

k. In addition to provisions as stipulated in points a, b, c, d, dd, e, g, h and i in Paragraph 2 hereinabove, a foreign bank’s branch shall be required to audit in line with regulations of the parent bank in conformity with provisions of this Circular.

Article 17. Performance method of the internal audit

1. Performance method of the internal audit shall be “risk-oriented” auditing method, priority shall be given to resources concentration for auditing units, departments, processes which are considered as highly risky.

2. Internal auditor shall define, analyse, measure risks and draw up risk profile for each operation of the credit institution, foreign bank’s branch. The risk profile shall include all potential risks, possible effects of those risks on the operation of the credit institution, foreign bank’s branch and occurrence possibility of those risks. Basing on the valuation of the effect, possibility of the risk occurrence; each risk shall be classified into high, or medium or low risks. The measurement, classification of risks shall be performed on an annual basis at the minimum.

3. The result of risk measurement shall be the basis for the Chief of internal audit to work with the Controllers' Committee, the General Director (Director) and the Board of Directors, Board of Members in the preparation of the annual internal audit plan. All the risks shall be rated by descending order, activities which are considered as highly risky shall be given the priority to concentrate more resources, more time on the auditing, priority to perform the auditing first and more regular than those with low risk exposures.

4. The internal audit plan must be drawn up basing on the risk measurement results and must be updated, amended and adjusted in accordance with the development, changes in the operation of the credit institution, foreign bank’s branch and changes of accompanied risks.

Section 3: DUTIES, AUTHORITIES AND RESPONSIBILITIES OF THE INTERNAL AUDIT DIVISION

Article 18. Duties of the Internal audit division

1. To set up operational processes of internal audit at the credit institution for submission to the Controllers’ Committee for review and approval after reporting to the Board of Directors, Board of Members.

2. To make annual or unexpected plan on internal audit and perform internal audit activities

in line with the plan or unexpected audit upon request by the Board of Directors, Board of Members, Controllers’ Committee; to perform the approved policies, processes and procedures of internal audit on the basis of ensuring the quality and efficiency.

3. To perform independent, objective inspection, verification, review for all units, divisions, activities of the credit institution, foreign bank's branch (policies, procedures, processes or problems incurred in the operation) basing on the risk level (high, low or medium) and the impact on the credit institution’s operation. In respect of any matter that may cause bad effect to the credit institution’s operation, the internal auditor should make timely report on the nature and its impact on the credit institution’s operation and suggest practical recommendations to prevent and overcome these matters.

4. To suggest measures for correcting and overcoming shortcomigs; suggest the settlement of violations; recommend measures for completing, enhancing the effectiveness, efficiency of the internal control system

5. To valuate the correspondence of activities in order to prevent, surmount already reported weak points; activities for the purpose of completing the internal inspection, control system and follow up them till these issues are satisfactorily settled

6. To prepare audit report; timely inform and submit the results of internal audit in accordance with provisions in Articles 26, 27 and 28 of this Circular.

7. To develop, amend, supplement, complete the method of internal audit and operation scope of the internal audit activity in order to be able to update and catch up with the development of banking activity

8. To implement the process of ensuring quality of the internal audit work.

9. To set up a profile of ability level and requirements necessary for the internal auditor to make basis for recruitment, promotion, transfer of officers and fostering professional

10. To maintain the regular consultancy, discussion with the independent audit organization, the State Bank (Banking Inspection and Supervision Department, State Bank's branch) for the purpose of the efficient cooperation; to act as a unit that regulates, coordinates with external agencies for works relating to the function, assignment of the internal auditors.

11. To provide advice to the Managers, the Board of Directors, Board of Members of the credit institution, foreign bank's branch and operational divisions to carry out projects on setting up, new application or amendment of important operational processes; management and administration regime; process of risk identification, measurement and assessment, risk management, method of capital valuation; the accounting and information system; to perform new operations, products providing that the independence of the internal audit activity is not affected.

12. To perform other functions assigned by the Board of Directors, Board of Members, Controllers’ Committee.

Article 19. Authorities of the Internal audit division

1. To be fully equipped with necessary resources (human resource, financial resource and other necessary facilities).

2. To be entitled to take the initiative in performing their assignment under the approved auditing plan.

3. To be fully, timely supplied with all information, documents, files which are necessary for the internal audit activity.

4. To be entitled to access, review all operational processes, assets in the performance of audit activity.

5. To be entitled to approach, interview all officers, staff of the credit institution, foreign bank's branch for issues relating to the audited contents.

6. To be entitled to receive materials, documents and meeting minutes of the Board of Directors, Board of Members, Controllers' Committee, Managers, Executive Officers relating to the internal audit activity.

7. To be entitled to attend internal meetings in line with provisions of applicable laws, or in conformity with regulations in the Charter, internal regulations of the credit institution, foreign bank's branch.

8. To be entitled to supervise, evaluate and follow up the correction, overcoming, completion by the leaders of units, divisions in respect of issues which are recognized and recommended by the internal auditors.

9. To be protected from any acts of non-cooperation of the audited unit.

10. Internal auditors shall be entitled to regular training as to operational knowledge in order to be qualifiable and professional in performance of the assigned duties.

11. Other authorities in accordance with provisions of applicable laws.

Article 20. Responsibilities of the Internal audit division

1. To keep secret of the information, documents in accordance with current provisions of laws, of this Circular, of the Charter and of the Internal Regulation on internal audit of the credit institution, foreign bank's branch.

2 To take responsibility to the Controllers' Committee for the result of the internal audit activity; for the assessments, conclusions, petitions, proposals in the internal audit report.

3. To follow up the performance results of petitions after the internal audit of units, divisions of the credit institution, foreign bank's branch.

Section 4: POLICY AND PLAN OF INTERNAL AUDIT

Article 21. Policies on internal audit

1. Internal audit policy shall be an official basis and guidance for the internal audit activity and for each internal auditor. Policy on internal audit shall include an internal regulation on internal audit, a set of professional virtue rules, internal regulations on the organization and operation of internal audit, a process on internal audit and related provisions.

2. The internal regulation on internal audit should have an overview of the guideline, purpose, scope of operation, position, authority, function, assignment of the internal auditors in the credit institution, foreign bank's branch and relationship with other units, divisions; in which there are requirements of the independence, objectiveness, fundamental principles, requirements of the professional level and the assurance of quality of the internal audit activity. The internal regulation on internal audit of the credit institution, foreign bank's branch shall be established on the basis of the conformity with provisions of this Circular and current provisions of applicable laws.

3. The process on internal audit shall stipulate processes and provide detailed guidance on the method of risk evaluation, preparation of an annual internal audit plan, plan for each audit session, mode of the audit performance, preparation and submission of an auditing report, archive of internal audit files, materials. The process on internal audit may be provided for in the Internal Regulation on internal audit.

4. Based on provisions of this Circular, the credit institutions, foreign bank's branches shall draw up their policies and processes on internal audit in line with their specific operation characteristics. The credit institutions, foreign bank's branches are encouraged to apply international rules on internal audit providing that they are not in contrary to provisions of this Circular.

Article 22. Professional virtue rules

1. The credit institution, foreign bank's branch shall draw up a set of rules on professional virtue and ensure the maintenance of those rules in order to develop culture of professional virtue within the credit institution in general, and in the implementation of the internal audit work in particular. Internal auditors shall be required to comply with the rules on professional virtue in the performance of the internal audit and consultancy work.

2. An internal auditor shall be obliged to implement and maintain at least the following professional virtue rules:

a) To be truthful: An internal auditor must carry out their work truthfully, carefully and responsibly; comply with laws and perform all works publicly in accordance with provisions of applicable laws and of the profession; shall not deliberately involve in any illegal activity, or take part in activities that may result in the loss of prestige for the internal audit profession or for the credit institution; always respect and strive to make efficient contribution to proper and lawful objectives of the credit institution, foreign bank's branch;

b) To be objective: An internal auditor must express their professional objectiveness as best as he can during the collection, assessment and communication of information about activities or processes, systems that have been or are being audited. An internal auditor should give their fair assessment for all related issues and not be affected by private objectives, interests or by any person when giving their comment, assessment.

c) To be confidential: An internal auditor should respect the value and the ownership of received information, shall not be permitted to disclose the information without the valid authorization unless they are obliged to disclose the information in accordance with provisions of applicable laws and internal regulations of the credit institution, foreign bank's branch.

d) To be responsible: An internal auditor must always be highly responsible, strive to learn, continuously develop his professonal capacity, apply all the gained knowledge, skills and experiences to perform the internal audit in the most efficient manner;

dd) To be cautious: An internal auditor must always be careful and have necessary skills of a cautious auditor by paying more attention to the followings:

- Necessary time limit for finishing the proposed targets;

- The complexity, necessity or importance of the issues so as to apply the proper process;

- The conformity and efficiency of management and operation processes;

- Probability of serious mistake, illegal acts;

- Expense on operation in relation to potential benefits.

3. The Chief of Internal Audit shall, apart from ensuring professional virtue rules as stipulated in Paragraph 2 of this Article, take measures for following up, assessment, management in order to ensure the compliance with the rules on professional virtue by internal auditors.

Article 23. Annual internal audit plan

1. Basing on the scale, the growth rate, risk level of activities and available resources (human, financial resources, ect), the Chief of Internal Audit shall draw up an annual internal audit plan, including the audit scope, audit objectives, audit time and the allocation of resources.

2. The annual internal audit plan of a credit institution, foreign bank's branch must satisfy following requirements:

a) Risk based orientation: operations and units, managing and professional operation departments with high risk level must be audited at least once a year;

b) Ensuring the comprehensiveness: all operational processes, units, managing, professional operation departments of the credit institution shall be audited; processes, units, departments that have been evaluated as having the lowest risk exposure shall be audited on the basis of every three (03) years at the minimum;

c) A sufficient time fund shall be made up for the performance of unexpected audit sessions upon request of the Controllers' Committee, or upon availability of information about the signal of violation, signal of high risk of audited subjects;

d) The adjustment may be made where there is a basic change in the operation scale, risk development or current resources.

3. The internal audit plan for the following year shall be submitted to the Board of Directors, Board of Members, Controllers' Committee, General Director (Director) of the credit institution before 30 November of every year; Before 31 December of every year, the Controllers' Committee of the credit institution shall submit this audit plan to the State Bank (Banking Inspection and Supervision Department, State Bank's branch). Internal audit plan of a people's credit fund shall only be submitted to the State Bank's branch.

Article 24. Approval of policy on internal audit and internal audit plan

1. Policy on internal audit (excluding internal regulation on the organization and operation of internal audit) shall be discussed with the General Director (Director) by the Controllers’ Committee and approved and signed for issuance by the Chief of the Controllers’ Committee after having reported to the Chairman of the Board of Directors, Chairman of Board of Members.

2. Internal regulation on the organization and operation of the internal audit shall be approved and signed for issuance by the Chairman of Board of Directors, Chairman of Board of Members on the basis of the proposal of the Controllers' Committee.

3. The internal audit plan shall be discussed with the General Director (Director) by the Controllers’ Committee and approved by the Chief of the Controllers’ Committee on the basis of agreement with the Chairman of Board of Directors, Chairman of Board of Members.

4. Within a period of 10 working days since the approval, the internal audit policy, internal audit plan of the credit institution, foreign bank's branch (except for the internal audit plan as provided for in Paragraph 3 Article 23 of this Circular) shall be sent to the State Bank

(Banking Inspection and Supervision Department) for information and follow-up; People's credit fund shall only send to State Bank's branch. The State Bank shall be entitled to contribute its opinion or ask to amend some contents of the internal audit policy if provisions of this Circular have not been satisfied yet.

Article 25. Performance of the internal audit plan

1. The Chief of Internal Audit shall organize the implementation of the annual internal audit plan and special unexpected audits upon the request of the Board of Directors, Board of Members, Controllers' Committee and General Director (Director).

2. Scope, cycle and method of auditing, auditing process must assure that the auditing result truly reflects the actual situation of the audited contents.

Section 5: REGIME ON REPORTING AND ARCHIEVE OF INTERNAL AUDIT RECORDS, DOCUMENTS

Article 26. Audit report

1. The internal audit division of the credit institution shall timely draw up, complete and send an audit report to the Board of Directors, Board of Members, Controllers' Committee, General Director (Director) and audited units, divisions within a period of one month at the maximum since the ending of each audit.

2. The audit report must clearly state: audited contents, scope of the audit; assessments, conclusions of the audited contents and bases of the opinions; shortcomings, error, violation, explanations of the subjects of audit; recommendig methods for error correction, overcoming and violation settlement; recommending methods fopr rationalizing, improving the operational process; completing the risk management mechanism, organizational structure of the credit institution (if any).

3. An audit report must be supported by the opinion of the leadership of the audited unit, division. In the event where the audited unit does not agree with the audit result, the internal audit report should state clearly the disagreement of the audited unit and the reason thereof.

Article 27. Irregular report

1. The Chief of Internal Audit shall make an irregular report in accordance with following provisions:

a. Immediately reporting to the Controllers' Committee, Board of Directors, Board of Members, General Director (Director), State Bank (Banking Inspection and Supervision Department, State Bank's branch) if any serious violation is detected or where any high risk exposure that may cause bad effect to the operation of the credit institution is realized.

b. Timely informing the Manager of the unit whose the activity is audited if the shortcomings stated in the audit report are not timely corrected and overcome after a prescribed period of time.

c. After having informed the Manager of the unit of which the activity is audited in accordance with provisions in Point b of this Paragraph, if the relevant shortcomings have not been corrected and surmounted yet, they must be timely reported in writing to the Controllers' Committee, the Board of Directors, Board of Members and General Director (Director) of the credit institution.

2. In the event where the internal audit of a foreign bank's branch is undertaken by the internal audit of the head office or regional office, the Parent bank of that foreign bank's branch shall be required to promptly report the State Bank (Banking Inspection and Supervision Department, State Bank's branch) if any serious violation is detected or where any high risk exposure that may cause bad effect to the operation of the foreign bank's branch is realized.

Article 28. Annual audit report

1. After 45 days at the latest since the ending of the fiscal year, the Chief of the internal auditor shall send a general report on the performance result of the internal audit plan in the previous year to the Controllers' Committee, the Board of Directors, Board of Members, the General Director (Director). The general report on the performance result of the internal audit plan of the previous year shall state clearly: the proposed audit plan; the already performed audit activities; serious shortcomings, violations that have been detected; methods proposed by the internal auditors for the correction and overcoming of the shortcomings, violations; assessment of the internal inspection, control system relating to audited activities and proposals for the perfection of the internal inspection, control system; the performance of methods, petition, recommendations of the internal auditors.

2. After 60 days at the latest since the ending of the fiscal year, the Controllers' Committee of the credit institution shall send a general report on the performance result of the internal audit plan of the previous year with contents as provided for in Paragraph 1 of this Article to the State Bank of Vietnam (Banking Inspection and Supervision Department, State Bank's branch). A people's credit fund shall submit its general report on the internal audit result of the previous year to the State Bank's branch.

Article 29. Archive of internal records, documents

1. Audit reports and audit records, documents shall be archived at the internal audit division in accordance with provisions of applicable laws.

2. Files, documents of each audit shall be recorded as written documents, archived by order so that individuals, organizations that are competent to exploit (who have professional qualification and knowledge of banking activity) can understand the audit works, the result of the audit.

Chapter IV

RESPONSIBILITIES OF RELATED UNITS

Section 1: RESPONSIBILITY OF CREDIT INSTITUTIONS, FOREIGN BANK’S BRANCHES

Article 30. Responsibility of the Board of Directors, Board of Members

1. For the internal control system

a. On an annual basis, to review, assess, the internal control system; in which attention should be paid to the system of risk identification, measurement, assessment, and mananement, capital assessment method, financial report information and management information system;

b. To promulgate and periodicaly review, assess the business strategy as well as the main targets, policies of credit institution, foreign bank's branch;

c. To guarantee the reasonable and effective establishment and maintenance of the internal control system by the General Director (Director); in which there must be a system of risk identification, measurement, assessment and management; a capital assessment system; the faithful, reasonable, sufficient and timely financial report information system and management information system.

d. To monitor and timely speed up the implementation of guidelines, requirements of the State Bank on internal control at credit institution, foreign bank's branch, to supervise and speed up the implementation.

2. For internal audit

a. To promulgate internal regulations on the organization and operation of internal audit, which specifies the targets, tasks, position, power, responsibilities, reporting regime, relationship with other divisions of the credit institution; responsibilities, power of the Chief of Internal audit; basic principles, requirements of internal audit in accordance with provisions of this Circular;

b. To make decision on the organization of the internal audit; to appoint, dismiss the Chief of Internal Audit and other titles of the internal audit upon the request of Controllers’ Committee;

c. To sufficiently equip the resources (human resource, financial resource, and other facilities) and create favorable condition for internal audit unit to complete the tasks in line with provisions of this Circular;

d. To make decision on the implementation of recommendations of the internal audit; to speed up, follow up the operational units in performing recommendations of the internal audit, and to have timely solutions upon availability of reports as stated in Article 26, Article 27 and Article 28 of this Circular or availability of proposal, suggestion of the Chief of Controllers' Committee, Chief of Internal Audit;

dd) To make decision on the financial regime, the mechanism for wage, bonus, allowance for the Internal audit division and its staff within the competence scope.

Article 31. Responsibility of the General Director (Director)

1. For internal control system

a. To be responsible to the Board of Directors, Board of Members, parent bank of the foreign bank’s branch for the implementation of the business strategy and major targets, policies approved by the Board of Directors, Board of members, and parent bank of the foreign bank’s branch;

b. The General Director (Director) of the credit institution, foreign bank's branch is the first person responsible for carrying out the inspection, assessment on the internal control system and takes final responsibility for the sensibility, effectiveness and efficiency of the internal control system;

c. To establish, maintain, and develop the internal control system in a reasonable and effective way, meeting the requirements for identification, measurement, assessment, and management of risks, reasonable capital assessment method, ensuring the legal, effective, and safe operation of credit institutions, foreign bank's branches;

d. To draw up and promulgate specific operational procedures for every operations of the credit institution, foreign bank’s branch; to assure the availability of control policy, risk management policy in accompany with specific operational procedure;

dd) To maintain and implement the organizational structure, power delegation and authorization, business management in a clear and effective manner;

e) To maintain the financial information and management information system in a faithful, reasonable, sufficient and timely way;

g) To ensure the compliance with applicable laws and internal regulations, procedures;

h) On an annual basis, to report the Board of Directors, Board of Members, Controllers' Committee, parent bank of the foreign bank’s branch on the self-assessment of the internal control system and related recommendations, suggestions in order to modify, supplement and complete the internal control system.

2. For the internal audit

a. To create favorable condition for the internal audit to perform the assigned tasks and to direct the units, management and operational divisions to cooperate with tghe internal audit division as provided for in the internal regulation on internal audit or as directed by the Board of Directors, Board of Members;

b. To speed up the units, management, operational divisions in implementing the recommendations that were agreed with internal audit division, or as directed by the Board of Directors, Board of Members; to inform the internal audit division on the implementation of the recommendations as already agreed with the internal audit division;

c. To notify the internal audit about the internal meeting sessions;

d. To timely notify the internal audit division of any cases of material loss or fraud, cases that are in the risk of loss and fraud;

dd. To ensure that the internal audit division to be adequately informed of changes, arising issues in the operation of the credit institution, the new initiatives, products in order to early identify relevant risks.

Article 32. Responsibility of the Controllers' Committee

1. For the internal control system

a. To direct and operate the internal audit division to perform the checking, assessment independently, objectively on the internal control system, including the system of risk identification and mananement, capital assessment method, financial report information and management information system; internal procedures and regulations of the credit institution, foreign bank's branch;

b. To periodically inform the Board of Directors, Board of Members, General Director (Director) on the internal control system; to give proposal, suggesttion in order to modify, complete the internal control system.

2. For the internal audit division

a. To directly steer, manage and supervise the operation of the Internal audit division;

b. To perform the checking, assessment to ensure the effectiveness of internal auditing activity; take major responsibility for guaranteeing the quality of internal auditing activity;

c. To ensure that the internal audit has an appropriate position in the credit institution and that there is no unreasonable obstacles for internal audit activity;

d. To establish, amend, supplement and constantly complete internal regulations on the organization and operation of the internal audit and submit to the Board of Directors, Board of Members for decision;

dd) To approve the internal audit policies (except for the case as stipulated in point d of this Paragraph); to approve and adjust the annual plan for internal audit upon request by the Chief of Internal Audit, ensuring the internal audit plan is risk-oriented;

e) To ensure the effective collaboration with independent audit, State audit, State Bank (Banking Inspection and Supervision Department and State Bank’s branch);

g) To review, propose the Board of Directors, Board of Members to appoint, dismiss the Chief of Internal Audit and other titles of the internal audit; to organize the apparatus of the internal audit;

h) To personally report to every agency, every level in and outsite the credit institution in accordance with provisions of applicable laws and of the credit insitution; to submit the report to the State Bank as stipulated in this Circular.

Article 33. Responsibility of the Chief of Internal Audit

1. For the internal control system

Chief of Internal Audit shall be responsible for guaranteeing the sufficient performance of all functions, tasks, and powers related to the audit in respect of the internal control system as stipulated in this Circular and relevant internal regulations of the credit institution.

2. For the internal audit

a. To make the annual internal audit plan for submitting to Controllers' Committee for approval;

b. To organize the implementation of the internal audit plan that has been approved by the Controllers' Committee and the unexpected audit sessions as assigned by the Board of Directors, Board of Members, Controllers' Committee, General Director (Director);

c. To establish, amend, supplement, and constantly complete the method, policy, procedure for internal audit for submitting to the Controllers' Committee;

d. To ensure that internal auditors receive regular training, have adequate professional qualifications and skills to perform the internal audit task;

dd. To adjust the internal audit plan and submit to the Controllers' Committee for approval;

e. To request to appeal for staff from other divisions of the credit institution to take part in the internal audit if it may deem necessary, providing that the independence of the internal audit is ensured;

g. To attend meetings in accordance with the internal regulations of the credit institution and provisions of this Circular;

h. To report the Controllers' Committee, Board of Directors, Board of Members, General Director (Director) when finding out any weakness, shortcoming, mistake of the control system and of the Manager;

i. To follow up the implementation of post-audit recommendations; make and submit reports in line with provisions of this Circular.

k. To consider and recommend the Controllers’ Committee to request the Board of Directors, Board of Members to appoint, dismiss the Deputy Chief of Internal Audit and other titles of the internal audit; to organize the apparatus of the internal audit;

l. To take responsibility to the Board of Directors, Board of Members, Controllers’ Committee for the audit result performed by the internal audit division.

Article 34. Responsibility of an internal auditor

1. To verify that the information is sufficient, reliable, suitable and helpful for performing the auditing targets.

2. Based on the suitable analysis and assessment, to give conclusion and audit results independently and objectively.

3. To keep relevant information in order to support the conclusions and to give audit results.

4. Take responsibility to the law and to the Chief of Internal Audit for the audit results performed by him/her.

Article 35. Responsibility of units, management and operational divisions for the internal audit

1. To provide all information, documents, profiles that are necessary to the internal audit upon request by the Internal audit division in an honest and accurate manner without concealing any information.

2. To immediately inform the Internal audit division upon detection of any considerable weaknesses, shortcomings, violence, risks, losses of assets (or danger of assest loss), or upon availability of changes in the internal control system at the unit.

3. To implement the recommendations as already agreed with the Internal audit division and/or in accordance with the direction of the Board of Directors, Board of Members.

4. To create most favourable condition for the internal audit division to achieve the highest efficiency as possible.

Section 2: RESPONSIBILITY OF THE STATE BANK

Article 36. Responsibility of the Banking Inspection and Supervision Department

1. To perform the inspection, supervision on the compliance with regulations on internal control of credit institutions, foreign bank's branches, internal audit of credit institutions as stipulated in this Circular.

2. Annually, to assess the quality and efficiency of the internal audit activity of credit institutions, foreign bank’s branches, to strengthen providing consultancy and coordinating with internal audit divisions of the credit institutions for improving the efficiency of he internal audit activity and the inspection, supervision activity of the credit institutions, foreign bank’s branches.

3. To handle, within competence, or submit to the State Bank’s Governor for dealing with cases of violating provisions of this Circular and provisions of applicable laws.

4. To instruct the credit institutions, foreign bank's branches, State Bank’s branches in the implementation of this Circular.

Article 37. Responsibility of State Bank's branches

1. To inspect, supervise or coordinate with the Banking Inspection and Supervision Department in performing the inspection, supervision on the compliance with regulations on internal control system, internal audit by credit institutions, foreign bank's branches whose head offices are located in the local area in line with provisions of this Circular.

2. To handle, within competence, or submit to the State Bank’s Governor for dealing with cases of violating provisions of this Circular and provisions of applicable laws.

3. To inspect, supervise the compliance with regulations on internal control system, internal audit by people’s credit funds in line with provisions of this Circular; on an annual basis, to assess the quality and efficiency of the internal audit by the people’s credit funds.

4. To receive reports, plans on the deployment of internal audit from people’s credit funds.

Chapter V

IMPLEMENTATION PROVISIONS

Article 38. Transitional provisions

1. Within a period of 06 months since the effective date of this Circular, credit institutions, foreign bank's branches must perform the self-checking, adjustment so as to observe principles, requirements, provisions on internal control system stipulated in this Circular and send their internal regulations on internal audit to the State Bank (Banking Inspection and Supervision Department, State Bank’s branch). The People's credit fund shall only send to the State Bank’s branch.

2. On 31 December 2012 at the latest, the credit institutions, foreign bank’s branches shall be required to finish the adjustment of the organizational structure of their internal audit in accordance with provisions of the Law on Credit institutions and of this Circular.

Article 39. Implementation effectiveness

1. This Circular shall be effective from 12 February 2012.

2. The Decision No. 36/2006/QD-NHNN dated 01/8/2006 issued by State Bank’s Governor on the issuance of the Regulation on internal inspection, control of credit institutions and Decision No. 37/2006/QD-NHNN dated 01/8/2006 issued by State Bank Governor on the issuance of the Regulation on internal control of credit institutions shall expire since the effective date of this Circular.

Article 40. Implementation organization

Director of Administrative Department, Director of the Banking Inspection and Supervision Agency, Head of units of the State Bank of Vietnam, General Manager of State Bank's branches in provinces, cities, Chairman and members of the Board of Directors, Board of Members, Chief and members of the Controllers' Committee, General director (Director) of credit institutions, foreign bank's branches and related organizations, individuals shall be responsible for the implementation of this Circular.